In the most general form of EKE, at least one party encrypts an ephemeral (one-time) public key using a password, and sends it to a second party, who decrypts it and uses it to negotiate a shared key with the first party.

A second paper describes Augmented-EKE,[2] and introduced the concept of augmentedpassword-authenticated key agreement for client/server scenarios. Augmented methods have the added goal of ensuring that password verification data stolen from a server cannot be used by an attacker to masquerade as the client, unless the attacker first determines the password (e.g. by performing a brute force attack on the stolen data).

A version of EKE based on Diffie–Hellman, known as DH-EKE, has survived attack and has led to improved variations, such as the PAK family of methods in IEEE P1363.2.

With the US patent on EKE expiring in late 2011, an EAP authentication method using EKE was published as an IETF RFC.[3] The EAP method uses the Diffie–Hellman variant of EKE.